Thursday night, at a StrictlyVC event in San Francisco, I sat down with Confide cofounder and president Jon Brod to talk with him about his decidedly topsy turvy 2017. Though his three-year-old messaging app was the belle of the ball at the start of the year — Wired, the Washington Post, and Axios were among others to note it was a hit with frustrated White House staffers — its positive momentum was abruptly thwarted by security researchers who published a report saying the app wasn’t living up to its claims.
It was later reported that Confide had quickly addressed those vulnerabilities. Roughly one month later, a separate lawsuit followed, claiming that another of its features isn’t foolproof.
I discussed that ongoing case with Brod. He also talked about the app’s future, which may include video (assuming Confide can shake off the suit first). More from our chat below, edited for length.
TC: You’d worked for the NBA, for AskJeeves, for IAC, then you spent four years at AOL, including as the cofounder of AOL Ventures. How did you wind up running a secure messaging app company?
JB: I’d spent four years at AOL in various executive positions and I was going to leave and serendipitously, Howard Lerman, who’s also the founder and CEO of [newly public] Yext, emailed me about wanting to hire someone who used to work with me at AOL. It took many missed phone calls and traded emails before we connected six days later [because we didn’t want to discuss anything sensitive online], and that was sort of the ‘aha’ moment for Confide. So we gathered up some engineers, prototyped Confide, and started the company.
TC: How much funding have you raised?
JB: We initially raised just less than $2 million, including from SV Angel, [investor] David Tisch, GV, [Yelp CEO] Jeremy Stoppelman, WGI, and First Round Capital, among others. A year ago, we close a $1.5 million seed extension round, so $3.4 million all in.
TC: How many people use Confide?
JB: You know I’m not going to tell you that. [Laughs.] We don’t give out user numbers but also, as a confidential messenger service, we actually can’t track a ton of stuff. Almost everything we track is in aggregate and anonymous, so we do know how many active users [we have] and how many messages get sent on the platform, but . . . things are going quite well.
TC: I love Confide, but I use it for very specific use cases. How often do people open and use it on average?
JB: There’s this cohort for whom this is what they use as everyday messenger and the [daily and monthly active users] on that is fantastic. Then there are people, I guess like you, that, when there are confidential sensitive things, you use Confide, and you use other messenger platforms and email [for other communications]. I use iMessenger all the time, but when it comes to sensitive material, I mean, you’re insane if you’re still using regular text and email.
TC: Speaking of leaks, you had some amazing press earlier this year, with a number of accounts about all the unhappy White House staffers who use Confide. Were you aware that it had taken off in Washington or did you see it in the news?
JB: Here’s how that went down: I got a Confide message in December from a former high school classmate, and he says, “Did you know a lot of Trump’s transition team is using Confide?” And I said, “No, how do you know?” And he said, “They’re contacting me on Confide.”
Not long after, Axios reached out to me and said, “We’re on Confide and we’re noticing a stream of GOP political operatives coming on to the system and we’d love to talk with you about it.” So I do that interview; [Axios cofounder] Mike Allen runs it in his daily newsletter, and everyone starts calling us.
TC: I believe Spicer also warned them that disappearing text messages involving anything government related was a violation of the Federal Records Act. Did you hear from the White House about this?
JB: No, we haven’t been contacted by the White House, but you raise an interesting point that also receives a lot of press attention, which is the legality of this. My position is pretty straightforward: There are certain people in certain industries for whom certain communications are regulated — maybe FINRA in financial services or the Federal Records Act if you’re a member of the executive branch of the government. If you’re regulated, please use Confide in a way that complies with that regulation, just as you would any other communication device.
TC: So there’s all this excitement around Confide. But as your profile is rising, security researchers are following you more closely and by mid February, you’re slammed in the press by a report that says there are holes in the app. In layman’s terms, what exactly happened, and how did you resolve it?
JB: A security research firm comes and tries to find vulnerabilities in Confide. We’re able to detect them coming and are able to fix most of their issues in real time. There are some that we can’t, and they notify us, and then through a responsible disclosure — which is generally how these work with security firms — they give us a little time to fix the problems. We fix them incredibly quickly. Then they go out and publicize their research paper. Importantly, no Confide user was impacted throughout any of this. We made all the changes, and that’s what happened.
TC: One concern of a colleague of mine at TechCrunch, our security reporter, Kate, is your use label of “military grade” security in marketing the app. What does that mean?
JB: It’s hard to describe encryption and security, so we use terms that give people a general sense [of what it means], and “military grade” is one of those terms that we use. Basically, this is end-to-end encryption, and what that means is that as soon as you hit send on a message, it gets encrypted, and the only thing that can decrypt that message is a unique key that is generated on and never leaves the device of the recipient. Then once the message sort of detects that key, it gets decrypted. That’s what we mean by end-to-end, or military grade, encryption.
But then after we decrypt something, we go another step. Ater we decrypt a message, there’s an ephemeral component. So once you read a message, you hit close or reply, and the message is gone forever. We delete it from our servers and wipe it from the phone. We also have screenshot protection; we’ve gone to great lengths to prevent screenshots, because they’re the enemy of the disappearing. So fundamentally, we’re trying to take the privacy of the spoken word and we’re trying to port that to the convenience of digital communication.
TC: Before we get into this screenshot protection, another feature of your technology that concerns Kate is why you’ve created your own code, rather than use tried-and-tested protocols. Relatedly, she mentioned that because Confide’s encryption protocol hasn’t been publicly tested and hacked and audited to ensure that it’s strong, it could be hard for you to sell to enterprises. Wickr went public with its own code in February for that same reason.
JB: So open source is kind of a double-edged sword. In one respect, you put the playbook out there, which gives people increased confidence. On the other hand, it creates vulnerabilities, particularly around the ephemerality and the screenshot protection. So to this point, we’ve elected not to open source our code; it’s the same philosophy that some other end-to-end encrypted messengers, like iMessage, have. But it’s something we continuously discuss and we’ll continue to evaluate.
TC: Do you want to go after enterprises eventually? Is that where the money is?
JB: Our business is really good right now and it’s focused on the consumer; it’s a freemium model. In-app subscriptions is the greatest business model that I don’t think enough entrepreneurs fully understand or appreciate. So that’s where our focus is. We do have an enterprise solution. After the Sony hacks, we received a number of inbound inquiries from businesses; we built a solution for them. We have customers. But the freemium model is really our focus.
TC: You’ve mentioned your screenshot protection a couple of times. But you’re facing a recently filed class action lawsuit that alleges it doesn’t work, and the former customer who is suing you is represented by a law firm known for its scorched-earth tactics. In fact, Y Combinator president Sam Altman has characterized its founder as a “leech tarted up as a freedom fighter.” What’s happening? And do you settle this thing?
JB: I can’t comment on the lawsuit other than to say it’s completely unfounded and meritless. It’s equivalent to a shakedown. This is what this [law firm] does; it goes after high-flying and other tech companies. This will get thrown out of quickly rather quickly, and I look forward to that day.
TC: What’s on the roadmap? You sent me a text earlier today with an emoji, which is the first time I’d seen that.
JB: We do have stickers as part of Confide plus, which also includes unlimited attachments and photos and all of that. We’re about to launch an iPad app, which is going to be great; it’s one of the top things our customers are asking us for.
We’re also playing around with video, which is something else we’ve been asked for a lot. We think it’s super interesting, and we’re playing around with screenshot protection on video and hoping to do something innovative and interesting there.
TC: Is illicit material being sent over your platform a concern?